Krebs on Security

In-depth security news and investigation

Underweb Payments, Post-Liberty Reserve

Following the U.S. government’s seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR’s show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry’s crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government’s action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

Fluctuation in BTC values. Source: Bitcoincharts.com

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.

For one thing, Bitcoin’s conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney — a digital currency founded in Russia — one LR or WMZ (the “Z” designation is added to all purses kept in US currency) has always equaled $1 USD.

The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin’s price volatility could turn an otherwise simple transaction into an ugly mess for both parties.

“Say I pay you $1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $1k I just sent you in Bitcoins is now worth just $600. It’s not yet stable to be used in such a way.”

Another forum member agreed: “BTC on large scale or saving big amounts is a mess because the price changes. Maybe it’s only good cashing out,” noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.

Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors. As the U.S. government’s complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.

“Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk,” wrote “Off-Sho.re,” a bulletproof hosting provider I profiled in an interview earlier this month. “In the legit ‘real products’ area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites, since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice.”

What’s more, MtGox — Bitcoin’s biggest exchanger and the primary method that users get money into and out of the P2P currency — today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.

A logo from perfectmoney.com

Perhaps the closest competitor to Liberty Reserve and WebMoney — a Panamanian e-currency known as Perfect Money (or just “PM” to many) — appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from U.S. citizens or companies.

For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred U.S. citizens from creating new accounts (it did so in March 2013, in apparent response to the U.S. Treasury Department’s new regulations on virtual currencies.) Still, WebMoney has been around for so long — and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts — that most miscreants and n’er-do-wells in the underground already have accounts there.

But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed “Ninja,” the administrator of Carder.pro — a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company’s homepage featured seizure warnings from a trio of U.S. federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the U.S. Justice Department on Tuesday, he offered a standing bet of $1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.

Now, Ninja says, he’s ready to pay up, but he’s not interested in buying into yet another virtual currency. Instead, he says he’s planning to create a new “carding payment system,” one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).

Another core member of a different, Russian-language crime forum used the Liberty Reserve news to announce his own, private e-currency and exchange exclusively for forum members. To generate interest in the new system, which this member says has been under development for six months, he is offering a $5,000 reward to any hackers who can break the system’s security.

Dear friends! I submit to your consideration a new project as a payment system,” writes “Taleon,” a longtime provider of cashout services for fraudulent wire transfers sent via Western Union and Moneygram (think cyberheists against small businesses). “After eight years of excellent reputation in the financial services industry, I now want to offer a mini-payment system, designed specifically for your needs. It is not necessarily made for you to keep your savings in, but instead to use this system for small settlements.”

A new payment method that debuted since Liberty Reserve’s demise.

Taleon highlighted the benefits of his new currency thusly:

“The pros:

-It is not registered anywhere, and is not governed by any law other than arbitration private forums.

-We do not ask for your personal data, except for the private message on the forum or confirmation from other members.

-The system focuses strictly on the activities of the forum.

-Security system is set up with the reality of today and even more.

-Information stored 2 months, and then permanently deleted, and deletion of information at the request of the user-specified encryption key.”

If these private systems focus heavily on security, it will be unsurprising given Liberty Reserve’s reputation. Liberty Reserve used an insanely secure and redundant system — including far more protections against account takeovers than I’ve seen at any legitimate financial institution. Users were required to enter an account number and password, and then a Login PIN. If the system didn’t recognize your computer and/or IP address, it would send a one-time “verification PIN” to your email and require that before logging you in. In the event that you wished to send someone LR currency, the process involved solving a CAPTCHA, entering a static, user-specific “Master Key” and your Login PIN — the latter two often requiring the use of a randomized on-screen keypad. Enter any of these incorrectly and the system required you to start over.

In the short run, I’d expect WebMoney to be the chief beneficiary from the closure of Liberty Reserve. Longer term, I’d expect to see more of these independently-run, forum-specific currencies+exchanges that are not tied to any specific country, or that are based in countries that are actively hostile or at least not particularly friendly to the United States.

Update, 9:58 p.m., ET: Looks like I am not alone in saying WebMoney will be the big winner here. Sophos just filed a blog post on the Liberty Reserve takedown that includes a graphic of a poll one underground site took on which e-currency would work best:

This entry was posted on Thursday, May 30th, 2013 at 4:17 pm and is filed under A Little Sunshine, Web Fraud 2.0.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

152 comments

What all of you seem to have forgotten, is how much US companies like WesternUnion are involved in illegal transactions and $-laundering. Just to name a few facts: in 2007-2008 one romanian individual transferred 5 million € to his OWN name from ONE WU branch in Verona Italy.
Many WU branches in London, run by certain criminals, charge 15-20% of the transferred money for not checking the identity.
Any private person with cash and a clean record can open up a WU office worldwide!
2003-2006 over 2 billion € were transferred to Romania via WU!
When confronting a WU security officer with these facts, he almost got physical in front of a large crowd!
LR was also busted for various OTHER reasons apart from the ones made public and stated here…..

Neither was LR. If anything, LR was more like that period when the sender gives the money to WU and when the user goes to WU with the MTCN on the other side of the world to pick it up… you didn’t have to do that right away either.

“I’m curious … do you not believe that there could be an agenda? Or do you just not believe that there is an agenda?”

Of course there is an agenda. Even if no action was taken, that could be seen as part of an agenda.

“If the US is not against digital currency but wants to dictate…”

The U.S. states that this is not an attack on digital currency but a criminal enforcement action.

“You still have not answered my question as far as what your opinion is as far as why the US is the ones ‘leading’ this and not CR or any other country. This is not the US aiding CR — this is the US doing the charging.”

Again, LR was operating without a CR license when they were required to do so. LR deceived the regulators in CR by pretending not to be operating out of CR after retracting their license application.

The U.S. is prosecuting for the exact same reasons the U.S. is the one that confronts Iran, not Saudi Arabia, why the U.S. is conducting drone strikes in Yemen and Pakistan and prosecuted Colombian drug lords.

1. The U.S. has, rightly or wrongly, deemed these behaviors counter to its interests.

2. It’s the only this these people fear. The U.S. prosecuted Colombian drug lords even though their crimes were committed in Colombia. The drug lords feared U.S. prosecution to the point they attacked the Colombian Supreme Court, murdering justices and burning the building to destroy documents.

3. U.S. prosecutions (and drone strikes) give the host country’s politicians cover against what may be a politically unpopular action locally. Political instability may result in the host country if blame cannot be deflected to the U.S.

4. U.S. institutions are not overwhelmed or corrupted (relatively speaking) by large scale, high profile prosecutions.

5. There’s a never ending supply of ambitious prosecutors looking for a promotion or political office.

“And saying all people are criminals is again telling everybody else what to think — and the government likes to prejudice cases like this.”

I’ve never alleged you are doing anything illegal, either in the U.S. or anywhere else. Your software maybe animating Justin Bieber concerts and interviews for all I know.

But I strongly question your choice of payment processors. Why not choose on of the dozens of processors that have been operating in Western or Eastern countries for years without any enforcement actions taken against them? They are accepted by companies all over the world.

LR was a train wreck waiting to happen from day one. It, along with PM, is the HYIP ponzi payment processor of choice and it’s been touted on every HYIP forum out there. Did you not see that?

One or two good apples in a rotten barrel will not go unmolested when the authorities decide to act. Again, the U.S. alleges that LR was set up by criminals for criminals and very little legitimate business was conducted by LR. They will have to prove that in court or the case will be thrown out.

Thank you. I consider myself more the ‘victim’ of an overzealous foreign government than a victim of LR, so I am not ‘counting my chickens’ as they say. I would be happier if the businesses involved were to get their money back in a matter of a few months, but I am guessing it will take them 10+ years if they do it at all (and given the massive number of ‘customers’ LR serviced, which far eclipsed that of E-Gold (who *was* illegally operating on US soil), I’m going to say that it would probably be a losing wager, and would most likely entail something not too unlike your IRS audits or worse, if it were to happen. It won’t. Just as ‘the banks’ were ‘too big to fail’ this is ‘too big to remunerate’ (which is pretty apparent when you consider that it was also ‘too big to prosecute the residents who were committing crimes in their territory, even if they got confessions from each and every one of them’.

“Another similarity between GoldAge and Liberty Reserve is the alleged use of numerous identities by Budovsky and business associates, according to sources familiar with both operations. In 2002, Budovsky granted an “interview” to Ragnar Danneskjold, described as “editor of Planetgold.com,” in which Budovsky, who says he is married to a “wonderful wife with two beautiful daughters,” announces the May 28, 2002 launch of Liberty Reserve. Asked about the risk of attracting organized criminal elements, he said he “would be only too happy to cooperate with authorities in situations” involving “a murderer, kidnapper, or drug kingpin.””

Only realised this now — ‘May 28, 2002 launch’ ‘May 28, 2013 indictments’. Was this supposed to be clever or just a coincidence?

I would too except they’d been building the case for a while, and were sitting on it for a while as well. From what I’ve been reading in the court documents, the paperwork was done (some for weeks, some for about a week), but they put off announcing even though they pulled the site down days earlier. While I am not saying it was their main goal, I would not doubt some agents might see the humour and irony in picking that day to go public.

I see here many Americans proud of their Government, but tell me , what do yo think about this ??

” Foreign-located MSBs are financial institutions under the BSA. With respect to their activities in the United States, foreign-located MSBs must comply with recordkeeping, reporting, and anti-money laundering (AML) program requirements under the BSA. They must also register with FinCEN.4

Foreign-located MSBs are subject to the same civil and criminal penalties for violations of the BSA and its implementing regulations as MSBs with a physical presence in the United States.”

For example, if I have a currency exchange(USD/EUR/AUD/etc) in Zimbabwe, i should be registered with FINCEN (a US state institution) before i can exchange some funds for a US citizen .How absurd is that ?? :))) Basically, the US citizens traveling abroad have only a handful of financial institutions that they can legally use. Nobody is going to be able to make any transaction with you unless they are registered in the US with Fincen . Are you blind Americans ? Is this the land of the free where you are living at ?? Or rather the land of the sheep ?? :))

This is a law passed in 2012 (march) , and they can go after any money transmitting business in the world , basically even if LR or ANY COMPANY was legally registered in Costa Rica, based on this law they could intervene and seize it, because it is not registered on American soil with Fincen I’m not saying that closing LR was a bad thing, they were far from honest, but wake up Americans , your government is passing laws in your country that can be enforced in other jurisdictions . That’s not democracy you are living in, that’s plain dictatorship !!!

P.s – UBS, Wells Fargo , Bank of America, etc have all been fined for helping tax evaders and drug dealers flush out billions of dollars from your country…that’s billions , not 60 millions what LR and Egold had….wake up and see the big picture, they feed you these news where they tackle fraudulent systems like LR when billions are being “washed” by the banks you all know, love and use …They only show you the tip of the iceberg, and you are to blind and why not stupid to see the bank lobbyists who run your life on a daily basis…did you pay your mortgage today America ?? I know you didn’t because we, as in the rest of the world, are still paying the mess you left behind in 2008 by Lehman Brothers and your money printing machines…

No quite true. The U.S. requires banks and MSBs registered in the U.S. to follow certain rules. Basically, if you want to do business with U.S. institutions, including foreign banks with U.S. branches, you have to meet certain requirements. Many other countries have similar laws.

If an American bank wanted to do business with a French bank, for example, the American bank has to comply with French regulations. The French bank can’t just do what they wish.

So if UBS and Wells Fargo violate the law, we should just ignore everything else as well?

One thing I find very troubling about the FinCen regulations is, if I am reading them correctly, a business must go through registration in every single state they might do business with, in order to be able to do business safely. That’s not one filing. That’s what, 50+territories?

Let’s put it this way. I am not a banking lawyer, nor do I play one on the Internet.

Basically, the U.S. is a federation of 50 states and a few territories. Very often, Federal rules will trump state rules. But with banking, investments and other financial vehicles, you very often need to register with the states as they regulate….often with 50 sets of rules.

i.e. Large banks with say “Wells Fargo” on the marquee, would have to have have separate entities such as Wells Fargo CA, Wells Fargo AZ, Wells Fargo TX. In addition, there were federally licensed “national” banks.

The rules have changed over the years in some instances. i.e. Wells Fargo does not have to break itself into various state entities (but I could be wrong on this point).

Doctors, lawyers, banks, brokers, investment advisers, real estate agents, etc generally have to be licensed in each state they do business in as each has its own set of regulations in addition to any national laws.

If a lawyer who’s admitted to the Bar in South Carolina and Florida wishes to argue in front of the U.S. Supreme Court, that’s a separate set of permissions.

What this effectively does is cut off the ability for anybody else to compete with the larger companies on anything but a local scale for financial and logistical reasons. It creates a situation in which only the rich, powerful companies capable of hiring an army of lawyers and accounts can prosper and anybody else can get struck down at any moment by a technicality (well, 50+ states’ worth of voluminous technicalities).

I am not sure I agree with you on this. California, New York and Texas are each independently larger than all but the top 15 economies in the world. Even our smallest state is in the top 50% of the world’s economies by “GDP”.

My experience is that there are two phases in these situations.

Consolidation: Big companies gobble up smaller ones until there are about 3 large players left. i.e. Ford, GM & Chrysler (The Big 3) in the 1970s for the U.S. Same is true in accounting and lots of other markets. Banks have been gobbling each other up the past few years, until housing collapsed.

“Organic” growth: People rebel at a certain point and say “screw the big people”. We have lots and lots of smaller credit unions, community banks, etc if you want good service.

There may not be a “boutique” cell phone company because of the infrastructure requirements but I can still get a local reseller as my ISP. With a real, local, competent person answering if I need support.

(as opposed to your example, France, where you might be required to register once to do business in France (and actually I am not sure you need to register in France to service a French citizen — given the EU it is possible you only have to register once to service all EU members, if not less, no?))

And I think the issue is, the banks are NOT being punished. For certain the criminals who run them are not — they are walking away with your ‘golden parachutes’ of millions and millions of dollars, or keeping their jobs and receiving bonuses with buyout funds that they only got because they were so entrenched in the system that they blackmailed the US into saving their asses and not punishing them from a criminal standpoint, and barely from a monetary one. What is missing is *parity*.

LR didn’t even register with costa rica. They caught the owner on the run in Spain I thought.

Your still crying USA? when noone can even come up with a legitimate job they were using LR for?

All i hear is forex trading, pre paid debit cards, and “i’m a computer programmer from the ukraine”……

What you don’t realize is the whole world is starting to hate hackers…and this is only the beginning. Most American ceo’s still dont’ care yet. Most americans, even though 1 out of 3 get some credit stolen, still can’t put a face on it.

But that is changing little by little, and contrary to your delusions. Its a world effort.

Agreed on the banks. Everyone was in on it. RE agents, brokers, appraisers, bankers, mortgage companies, everyone. The average janitor in one state self reported income of over $200,000.00 a year, more than most doctors and nobody paid any attention as the average mortgage went from 30% of gross income to over 70%.

With that, I will go back to my “lurk and occasionally comment once or twice mode” for a while. It is time to get to the business of rebuilding my business, or trying to. I generally do not participate much so this has been exhausting. I do appreciate all of the debates.

US, by doing this they are bringing more hate into their country. USA is the most hated country in the world. I wouldn’t be happy to be an american citizen. They say they are the strongest, that no country can touch them…well…lets leave it to the mother nature…U wake up in the morning, tuned on CNN= USA= people dies here, people dies there, tornadoes here, B* there…This doesn’t just happen like that. This things happening to USA is a revenge of the wrong things they are doing to other countries. which is not only stealing money but killing innocents. at the end, God is the master of all masters.